W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC #348: Realms and scope

From: David Morris <dwm@xpasc.com>
Date: Wed, 6 Jun 2012 10:37:47 -0700 (PDT)
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <alpine.LRH.2.01.1206061023560.15954@egate.xpasc.com>

On Tue, 5 Jun 2012, Julian Reschke wrote:

> On 2012-06-05 02:16, David Morris wrote:
> > ...
> > This took a few days to set up a careful test case. I don't have the time
> > or resources to test every client, so I can't refute the claim that some
> > clients send the authorization header for a part of the hosts content
> > which it doesn't apply to, but I've tested:
> What's the definition of "doesn't apply to"?

>From memory ... which has stuck with me because I wasn't real happy
with the definition ...

Thinking of URLs as representing the hierarachical name space
we commonly associate with a file system ...

Realm "RauthA" returned in a 401 response's www-authenticate header
for a request for authab/a/ may be assumed to applu to directory 
authab/a/ and to all directories under authab/a/. So if the client
has credentials for authab/a/ it may return those credentials
in the Authorization header in a request for authab/a/aa/
anticipating that the same credential would apply, but not for
authab/ or any peer of authab/a/ such as authab/b/ in my test.

My current test setup doesn't support the subdirectory case, but
I think I'll expand it when I get a chance.  I also need to go back
and review the RFCs to validate my memory.

Dave Morris
Received on Wednesday, 6 June 2012 18:09:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:00 UTC